Name of the Vulnerable Software and Affected Versions: Zend Session (affected versions not specified)

Description: The issue arises when ZendSession session validators are set before the start of a session, causing them not to work as expected. This allows an attacker to bypass session validators such as RemoteAddr or HttpUserAgent by ignoring the "signature" that these validators check against, which is not stored in the session. The problem occurs because subsequent calls to start() do not retain validator metadata, leading to the session being marked as valid even if the validator checks fail.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.